Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/obando1998/Proyecto_UCP/llms.txt

Use this file to discover all available pages before exploring further.

Overview

DevolutionSync implements a secure authentication system with role-based access control (RBAC), session management, and automatic security measures to protect enterprise data.

Admin

Full system access with approval authority

Auxiliary

Register and manage product returns

Consultation

Read-only access to system data

Role-Based Access Control

The system defines three user roles (grades) with distinct permissions:
Permissions:
  • Access to dashboard and analytics
  • Review and approve/reject returns
  • View complete system history
  • Manage authorization codes
Redirect: index.php?url=home/index

Login Process

1

User Submits Credentials

The user provides their username and password through the login form.
2

Credential Validation

The system queries the database to validate the credentials and retrieve the user’s role.
3

Session Creation

Upon successful authentication, a secure session is created with user details and timestamps.
4

Role-Based Redirect

The user is automatically redirected to their role-specific dashboard.

Implementation

The authentication flow is handled by the AuthController class:
controllers/AuthController.php
public function login() {
    header('Content-Type: application/json');
    
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $username = trim($_POST['username'] ?? '');
        $password = $_POST['password'] ?? '';

        $user = $this->model->buscarUsuario($username);

        if ($user && $password === $user['PAS']) {
            $_SESSION['user'] = $user['USR'];
            $_SESSION['nombre'] = $user['NOMBRE'];
            $_SESSION['grado'] = $user['GRADO'];
            $_SESSION['logged_in'] = true;
            $_SESSION['last_activity'] = time();
            
            session_regenerate_id(true);

            echo json_encode([
                'success' => true,
                'redirect' => $this->getRedirectUrl($user['GRADO'])
            ]);
        } else {
            echo json_encode(['success' => false, 'message' => 'Credenciales incorrectas']);
        }
    }
}
The session_regenerate_id(true) call prevents session fixation attacks by generating a new session ID after successful login.

Session Management

Session Variables

The system stores the following data in the PHP session:
VariableDescriptionExample
userUsername identifierANALISTA
nombreFull name of the userSEBASTIAN OBANDO
gradoRole level (1-3)1
logged_inAuthentication flagtrue
last_activityTimestamp of last action1709654400

Session Initialization

Every controller initializes the session and verifies authentication:
controllers/PanelController.php
public function __construct() {
    if (session_status() === PHP_SESSION_NONE) session_start();
    
    // Verificar autenticación
    if (!isset($_SESSION['logged_in'])) {
        header('Location: index.php?url=auth/index');
        exit;
    }
    
    // Verificar permisos (Solo Admin Grado 1 o Auxiliar Grado 2)
    if (!isset($_SESSION['grado']) || ($_SESSION['grado'] != 1 && $_SESSION['grado'] != 2)) {
        header('Location: index.php?url=home/index');
        exit;
    }
}

Database Structure

User credentials are stored in the usuarios table:
Script_BD/Script_DB.sql
CREATE TABLE `usuarios` (
    `USR` VARCHAR(50) NOT NULL,
    `PAS` VARCHAR(50) NOT NULL,
    `NOMBRE` VARCHAR(100) NOT NULL,
    `GRADO` INT NOT NULL,
    PRIMARY KEY (`USR`)
)

User Lookup

The AuthModel handles database queries:
models/AuthModel.php
public function buscarUsuario($username) {
    $sql = "SELECT USR, PAS, GRADO, NOMBRE FROM usuarios WHERE USR = ?";
    $stmt = $this->db->prepare($sql);
    $stmt->execute([$username]);
    return $stmt->fetch(PDO::FETCH_ASSOC);
}
The current implementation stores passwords in plain text. For production environments, implement password hashing using password_hash() and password_verify().

Logout Process

The logout function destroys the session and redirects to the login page:
controllers/AuthController.php
public function logout() {
    session_unset();
    session_destroy();
    header('Location: index.php?url=auth/index');
    exit;
}

Security Features

After successful login, the system calls session_regenerate_id(true) to prevent session fixation attacks.
Every protected controller validates both authentication status and role permissions before allowing access.
The last_activity session variable enables session timeout implementation to automatically log out inactive users.
All database queries use PDO prepared statements to prevent SQL injection attacks.

Default Users

The system includes three default users for testing:
Script_BD/Script_DB.sql
INSERT INTO `usuarios` (`USR`, `PAS`, `NOMBRE`, `GRADO`) VALUES 
('ANALISTA', '1088350785', 'SEBASTIAN OBANDO', 1),
('AUXILIAR', '895623', 'AUXILIAR', 2),
('CONSULTA', '895623', 'CONSULTA', 3);
Change default passwords immediately after installation for security.

Next Steps

Return Management

Learn how Auxiliary users register product returns

Approval Workflow

Understand the admin review and approval process

Build docs developers (and LLMs) love

Get started for freeTalk to us